Wednesday 30 September 16:00 - 16:30, Red room
Arun Kumar Shunmuga Sundaram (K7 Computing)
Rajeshkumar Ravichandran (K7 Computing)
Remember Virtumundo, the malware which began as adware? Well, say hello to Linkury, which started life as a toolbar monetizer but is now relevant to the malware threat landscape. Owing to the extinction of the toolbar business Linkury moved on to adopt other revenue streams. They have been quite successful too, given the number of times Linkury binaries have cropped up in our telemetry feed over the past year. In fact, this is what drove us to inspect their binaries and TTPs in the first place. At first glance, based on behaviour alone, they seemed to resemble standard adware, but upon analysing deeper we saw enough to convince ourselves that they should be categorised as malware.
Linkury malware is multi-platform (Windows and MacOS) and part of a much larger pay-per-install monetization model network. The binaries masquerade as legitimate applications displaying a generic EULA and Privacy Policy which, based on their activities, we feel are completely disregarded in practice.
We were able to identify more than two active campaigns. The initial infection vector is a drive-by-download whereby an agent file is dropped. This further downloads some adware components based on the geolocale of the victim, the infamous Webcompanion being one of them. The agent file invited close scrutiny because it employs anti-VM, anti-sandbox, and AV-evasion tricks by checking registry entries, running processes and specific artefacts related to VMs and sandboxes. It also uses a standard process-injection technique via CreateRemoteThread, and loads an MSIL file dynamically using CLR Hosting APIs; persistence and obfuscation techniques are also used. Very far from your typical adware, right?
The binaries also have infostealer and downloader capabilities which are used to capture the demography of the victim, based on which more adware components are downloaded, obviously without the victim’s knowledge, let alone consent. Linkury also installs the Opera browser, if not already installed, and Chrome extensions which are then exclusively used to bombard victims with unwanted pop-up ads. To cap it all, the data stealthily stolen by this malware is riddled with PII.
In this paper we will thoroughly analyse all aspects of this malware’s binary components and expose Linkury’s monetization business model.
 |
Arun Kumar Shunmuga Sundaram Arun Kumar Shunmuga Sundaram, a computer science Master’s graduate from the University of Glasgow, has been working as a threat researcher at K7 Threat Control Labs for the past five years. He works on generic, heuristic and behaviour-based detection mechanisms as well as on threat intelligence. His research findings have also contributed to the K7 lab blog. Apart from being passionate about reversing, he is an avid gamer and loves to follow up on indie gaming.
|
 |
Rajeshkumar Ravichandran Rajeshkumar R is a threat researcher at K7 Threat Control Labs and holds a Master's degree in computer applications from Anna University, Chennai. His core responsibilities include reversing and providing detection at multiple layers for prevalent malware in addition to monitoring the latest trends in ransomware attacks. He also publishes his research findings on the K7 lab blog from time to time. Outside of malware research, he likes to spend his spare time swimming and has a keen interest in current events and politics. |
Hajime Takai (NTT Security)
Shogo Hayashi (NTT Security)
Rintaro Koike (NTT Security)
